Citizen Lab has published the first forensic confirmation that Paragon Solutions’ “Graphite” spyware infected iPhones belonging to at least two European journalists, exploiting a previously unknown iMessage flaw that Apple fixed in February with iOS 18.3.1
Citizen Lab’s report, published today, says both phones contacted the same Paragon-controlled server and logged traffic from an attacker-run iMessage account the team labels ATTACKER1. That match, along with other technical fingerprints, let researchers attribute the hack to Graphite with what they call “high confidence.” The victims include Ciro Pellegrino, bureau chief at Naples-based Fanpage.it, and a second reporter who asked to stay anonymous.
The attack exploited a previously unknown flaw in iMessage that weaponised Apple’s own iCloud Link feature. A single booby-trapped photo or video, sent invisibly, was enough to open the door. Because the exploit was “zero-click,” neither reporter had to open, read, or even see the message for the spyware to take hold. From there, Graphite could rummage through chats, photos, and even encrypted apps like Signal, all while the user carried on unaware.
Apple actually fixed the hole months ago. On 10 February 2025, the company pushed out iOS and iPadOS 18.3.1, quietly patching what it now tracks as CVE-2025-43200. The company publicly named the bug in an update on 11 June after Citizen Lab shared its evidence. The same update also closed CVE-2025-24200, an unrelated flaw that could bypass USB-restricted mode. Anyone running 18.3.1 or later is protected, while anyone who has postponed updates is still vulnerable.
Graphite joins a crowded field of mercenary spyware alongside NSO Group’s Pegasus, Cytrox’s Predator, and QuaDream’s Reign. All promise turnkey phone hacking to governments willing to pay millions for shortcuts past encryption. Europe is feeling the heat: Members of the European Parliament are investigating spyware abuses, and Italy’s intelligence oversight committee has opened hearings into Paragon after earlier revelations that the country’s security services used Graphite against activists.
Citizen Lab points out that each confirmed infection chips away at press freedom. Journalists cannot protect sources if an invisible program is scooping up drafts, contact lists, and location tracks. The lab urges anyone who receives an Apple threat alert, or similar warnings from Meta or WhatsApp, to treat it as urgent and seek expert help rather than dismissing it as a glitch.
Apple, for its part, says it discloses bugs only after fixes ship, arguing that early publicity just arms attackers. Critics counter that the company’s hush-hush approach leaves ordinary users unaware of the risks they run when they delay updates. What both sides agree on is that rapid patching matters: for most of us, software updates are the cheapest body armor money can buy.
Apple Hacks Are Rare, but Not Impossible
Zero-click exploits cost millions of dollars and are aimed at high-value targets, but they rely on victims delaying routine updates. If your iPhone is already on iOS 18.3.1 or later, you are protected against Graphite. If you have postponed updates, install the latest release immediately and turn on automatic updates in Settings > General > Software Update.
Enable Lockdown Mode if your work makes you a likely target. Finally, never ignore an Apple threat notification; treat it as urgent, contact a digital-security hotline like Access Now’s, and let experts examine your device. Sophisticated spyware cannot stroll through a door that has already been welded shut.